With Operation DreamJob, the APT (Advanced Persistent Threat) group Lazarus attacked Linux users for the first time. The most prominent victim is the VoIP software developer 3CX. ESET experts discover connection to cyber attack on 3CX.
The researchers at the IT security manufacturer ESET were able to reconstruct the entire course of the operation and thus prove that the hackers allied with North Korea were behind the so-called supply chain attacks ("supply chain attack"). The mischief takes its insidious course with a fake job offer as a zip file and ends with the SimplexTea malware. The Linux backdoor is distributed via an OpenDrive account.
3CX: It was Lazarus from North Korea
“Following our recent discoveries, we have found further corroborative evidence that the Lazarus Group was behind the supply chain attack on 3CX. This connection was suspected from the start and has since been proven by several security researchers,” says ESET researcher Peter Kálnai. “This compromised software, deployed across various IT infrastructures, allows downloading and execution of any type of payload that can wreak havoc. The stealth nature of a supply chain attack makes this method of malware distribution very attractive from an attacker's perspective. Lazarus has used this technique in the past,” explains Kálnai. "It is also interesting that Lazarus can produce and consume native malware for all major desktop operating systems: Windows, macOS and Linux."
Start with infected job offer via email
Operation DreamJob is the name given to a series of campaigns in which Lazarus uses social engineering techniques to compromise its targets. Fake job offers serve as bait. On March 20, a user in Georgia submitted a ZIP archive to VirusTotal called "HSBC job offer.pdf.zip". Given other Lazarus DreamJob campaigns, this malware was likely distributed via spear phishing or direct messages on LinkedIn. The archive contains a single file: a native 64-bit Intel Linux binary written in Go and named "HSBC job offer․pdf".
The perpetrators had planned the attacks well in advance - as early as December 2022. This suggests they had already gained a foothold on 3CX's network late last year. A few days before the attack became known, a mysterious Linux downloader was submitted to VirusTotal. It downloads a new Lazarus backdoor for Linux called SimplexTea, which connects to the same Command & Control server as the payloads used in the 3CX attack.
What is a supply chain attack
Supply chain attacks are very popular with hackers. The term describes attack scenarios in which cybercriminals intervene in or take over the manufacturing process or development cycle of software. End users of a product may receive manipulated updates for the software used.
About the attack on 3CX
The company offers client software to use its systems via a web browser, mobile app or desktop application. In late March 2023, the desktop application for both Windows and macOS was discovered to contain malicious code. This allowed attackers to download and run arbitrary code on any machine on which the application was installed. 3CX itself was compromised and its software was used in a supply chain attack to distribute additional malware to certain 3CX customers.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.